Compliance
The Safeguards Rule, finally translated for F&I.
Safeguards Rule compliance for F&I directors: practical steps to protect customer data at the deal-jacket level. Learn what's required.

The FTC's updated Safeguards Rule went into effect for dealerships in mid-2023, and the enforcement posture has been escalating since. The rule requires dealers who qualify as financial institutions — which includes any dealership that originates consumer credit applications — to maintain a comprehensive information security program. Most dealers have heard this. Fewer have actually shipped the required changes.
This is not a compliance department problem. It is a F&I director problem, because the majority of the customer nonpublic personal information that triggers Safeguards protection flows through the finance office.
How it touches F&I specifically
The Safeguards Rule applies to "nonpublic personal information" — which the rule defines broadly to include:
- Social Security numbers and dates of birth collected on credit applications
- Income and employment information submitted to lenders
- Bank account information collected for down payment processing
- Credit report data pulled from the bureaus
- Insurance policy details collected during the deal
Every deal the F&I office processes touches at least three of these categories. Which means every deal the office processes is covered by the Safeguards Rule's requirements for how that data is collected, stored, transmitted, and destroyed.
The practical checklist
The rule requires dealerships to:
- Designate a qualified individual (QI) responsible for overseeing the information security program. This person must report to the board or senior management annually.
- Conduct a risk assessment that identifies where nonpublic personal information lives, who can access it, and what threats exist. This assessment must be documented.
- Implement access controls — limiting who can see customer data to people who need it for legitimate business purposes. For F&I, this means reviewing who has access to the DMS and the credit application portal.
- Encrypt customer data in transit and at rest. If your DMS provider is not encrypting stored credit application data, that is a compliance gap.
- Monitor and test the security program. This includes penetration testing or vulnerability assessments at least annually.
- Train employees on security awareness. This training must be documented.
- Oversee service providers — any third party who receives customer data (lenders, administrators, DMS providers) must be vetted and contractually required to implement appropriate safeguards.
- Implement a written incident response plan before you have an incident, not after.
The 500-customer threshold
Dealers who handle nonpublic personal information for fewer than 5,000 customers annually are exempt from some (not all) requirements. If you're above 5,000 — which most active dealerships are — the full rule applies.
How audits happen
FTC enforcement under the Safeguards Rule typically begins with a complaint — from a customer, a state attorney general, or a class action plaintiff who suffered a data breach and filed a complaint as part of litigation. The FTC then investigates whether the dealership had a compliant information security program in place.
The standard is not perfection — it is "reasonable." A dealership that had a documented risk assessment, designated a QI, implemented encryption, and trained employees is in a very different position than one that did nothing. The former may face remediation requirements. The latter may face civil penalties and required corrective action plans.
The most common gap we see in dealer examinations: third-party service provider oversight. Most dealers have not contractually required their DMS provider, lenders, or F&I product administrators to maintain security programs consistent with Safeguards. That contractual language needs to exist.
The bottom line
If your dealership has not yet designated a qualified individual, documented a risk assessment, and reviewed access controls to your credit application data, those three steps should happen before the end of the month. They are the minimum floor — and they are the first things an FTC investigator will ask for.
If you need guidance on what a compliant Safeguards program looks like for a dealership your size, reach out to the team. This is not a billable compliance engagement — it is part of the operating support we provide to dealer partners.
By Michael Dean Aufmuth, Agency Principal · Elite FI Partners